Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Oracle Database Table Explanation

From: "Ray Seals" <rseals () vdsi net>
Date: Fri, 1 Jun 2001 13:38:40 -0500
I solved this issue and here is what happened.

When an event happens I would get a message saying database: oracle_error:
ORA-10401: inserted value too large for column.

The create_oracle file creates and event table with a timestamp field that
is varchar2(24).  For some reason this is too small.  The reason I say "for
some reason" is the fact that I have it working and counted the characters
and it only has 24.  So, I increased the size to 30, which is to big but it
fixes the problem.  I'm going to resize the field to 25 and see if that is
the number.  I'm also going to have my DBA go through the create_oracle and
see if we can improve on it.

I also have notes on compiling snort on a Solaris for Intel box.  I'm going
to write them up and see if I can't get them added to the site.

Ray

-----Original Message-----
From: roman () danyliw com [mailto:roman () danyliw com]
Sent: Friday, June 01, 2001 8:13 AM
To: rseals () vdsi net
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Oracle Database Table Explanation



Snort is adding stuff to the IPHDR,ICMPHDR,IPHDR,TCPHDR and UDPHDR files
respectively.


Any chance that the permission on the "event" table do not
have INSERT priviledge for the snort db user?

Are there any error messages generated by Snort?

Try recompiling Snort in DEBUG mode to get extra diagnostics
to see where the logging is failing.
(i.e. make clean; make  "-DDEBUG")

Roman




-----Original Message-----
From: roman () danyliw com [mailto:roman () danyliw com]
Sent: Tuesday, May 29, 2001 12:11 PM
To: rseals () vdsi net
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Oracle Database Table Explanation


Ray,


When snort generates
a detect it puts the header files into the appropriate tables but I

never

get the snort_events table updated.


What version of Snort?

I'm not sure what you mean by this statement.  "Header files"?
So is snort logging to the database or not?  A row should be
added to the "event" table for every triggered alert.


This table references a signatures
table but that table is empty also.


If both the signature and event table are empty then Snort
is definitely not logging to the database?  Any entries in the
"sensor" table?

Roman


---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: